ServeCreateTicket handles POST /auth/rdp-ticket.
(w http.ResponseWriter, r *http.Request)
| 131 | |
| 132 | // ServeCreateTicket handles POST /auth/rdp-ticket. |
| 133 | func (h *RDPHandler) ServeCreateTicket(w http.ResponseWriter, r *http.Request) { |
| 134 | userID, _ := r.Context().Value(middleware.UserIDKey).(string) |
| 135 | if userID == "" { |
| 136 | JSON(w, http.StatusUnauthorized, map[string]string{"error": "Unauthorized"}) |
| 137 | return |
| 138 | } |
| 139 | |
| 140 | var req struct { |
| 141 | HostID string `json:"hostId"` |
| 142 | Username string `json:"username"` |
| 143 | Password string `json:"password"` |
| 144 | Width int `json:"width,omitempty"` |
| 145 | Height int `json:"height,omitempty"` |
| 146 | } |
| 147 | if err := json.NewDecoder(r.Body).Decode(&req); err != nil { |
| 148 | JSON(w, http.StatusBadRequest, map[string]string{"error": "Invalid request body"}) |
| 149 | return |
| 150 | } |
| 151 | if req.HostID == "" { |
| 152 | JSON(w, http.StatusBadRequest, map[string]string{"error": "hostId is required"}) |
| 153 | return |
| 154 | } |
| 155 | |
| 156 | // Validate and clamp requested screen dimensions. |
| 157 | reqWidth, reqHeight := req.Width, req.Height |
| 158 | if reqWidth < 320 { |
| 159 | reqWidth = 1024 |
| 160 | } |
| 161 | if reqHeight < 480 { |
| 162 | reqHeight = 768 |
| 163 | } |
| 164 | if reqWidth > 8192 { |
| 165 | reqWidth = 8192 |
| 166 | } |
| 167 | if reqHeight > 8192 { |
| 168 | reqHeight = 8192 |
| 169 | } |
| 170 | |
| 171 | user, err := h.users.GetByID(r.Context(), userID) |
| 172 | if err != nil || user == nil || !user.IsActive { |
| 173 | h.log.Info("rdp-ticket user not found or inactive", "user_id", userID) |
| 174 | JSON(w, http.StatusUnauthorized, map[string]string{"error": "User not found or inactive"}) |
| 175 | return |
| 176 | } |
| 177 | |
| 178 | canUseRemoteAccess, err := h.userCanUseRemoteAccess(r.Context(), user) |
| 179 | if err != nil { |
| 180 | h.log.Warn("rdp-ticket permission lookup failed", "user_id", userID, "role", user.Role, "error", err) |
| 181 | JSON(w, http.StatusInternalServerError, map[string]string{"error": "Failed to verify permissions"}) |
| 182 | return |
| 183 | } |
| 184 | if !canUseRemoteAccess { |
| 185 | h.log.Info("rdp-ticket access denied", "user_id", userID, "role", user.Role) |
| 186 | JSON(w, http.StatusForbidden, map[string]string{"error": "Access denied"}) |
| 187 | return |
| 188 | } |
| 189 | |
| 190 | host, err := h.hosts.GetByID(r.Context(), req.HostID) |
nothing calls this directly
no test coverage detected